[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] hacked again!

Hello,

My 2 Cobalt servers a raq3i and raq4r (with all .pkg updates) where hacked
and compromised for about 2 months ago. Thy where also used to attacking
other servers in something that seemed to be a cyber war between some
universities in the US. I got them restored and installed portsentry and
logcheck and has installed all securities upgrade and other patches all the
time.

For the last few days my raqs has been destroyed and hacked down again. This
time it looks like some Korean hacker group and maybe others groups to.
Hackers has once again destroyed and compromised our Cobalt servers. We have
about 300 sites mostly small and medium size companies that rent space on
the raq servers, we are small web company that has had a nice growing rate.
We now are beginning to loose our customers and it seems like the hackers
not only take our servers, but also crushing our business.

If we now restore the Raq servers and once again in a few months time get
hacked and cracked. I don?t think there will be any customers left. I am
very frustrated and it seems like they have been using once again some kind
of bombing of request to the servers. For me it looks like the way they
hacked their first opening into the servers was with an attack on the DNS
and requested named for a combination of:

AXFR, Lame server requested in in-addr.arpa and AXFR zone transfer

I got an alarm e-mail delivered after the cobalt went down within the first
attack:
Hello, My 2 Cobalt servers a raq3i and raq4r (with all .pkg updates) where
hacked and compromised for about 2 months ago. Thy where also used to
attacking other servers in something that seemed to be a cyber war between
some universities in the US. I got them restored and installed portsentry
and logcheck and has installed all securities upgrade and other patches all
the time.

For the last few days my raqs has been destroyed and hacked down again. This
time it looks like some Korean hacker group and maybe others groups to.
Hackers has once again destroyed and compromised our Cobalt servers. We have
about 300 sites mostly small and medium size companies that rent space on
the raq servers, we are small web company that has had a nice growing rate.
We now are beginning to loose our customers and it seems like the hackers
not only take our servers, but also crushing our business.

If we now restore the Raq servers and once again in a few months time get
hacked and cracked. I don?t think there will be any customers left. I am
very frustrated and it seems like they have been using once again some kind
of bombing of request to the servers. For me it looks like the way they
hacked their first opening into the servers was with a attack on the DNS and
requested named for a combination of:
AXFR, Lame server requested in in-addr.arpa and AXFR zone transfer

I got a alarm e-mail delivered after the cobalt went downafter det first
atack:

Over the past fifteen minutes, the CPU has been heavily loaded.
1 minute load average:	53.99
5 minute load average:	53.97
15 minute load average:	53.91

I think this is very high numbers.

And all they needed to do was to ask the cobalt for som AXFR and it kneeled
and opent up the doors for the hackers and let them into the servere. Where
they compremised and destroyed,  now it may seems like I am sarkastik and
bitter. And actually it is thru..I AM. To compromise and hack into the
Cobalt raq servers looks a litlebit to easy, after all does patches and
ekstra instalation of software. And All Cobalt support say is you  has to
restore the serveres migrate does sites you can,  like that is somthing we
all better learn to do before breakfast on regegular basis. Forgetting that
they sold this servers as hosting servers, there is hundreds of customeres
sites and mail services allso present on thise servers.(if i restore the
individual backup solutions delivered on the raqs will not work!)

AND IF I RESTORE WHEN WILL IT BE HACKED AGAIN, TOMOROW? Maybe we are lucky
and there goes a hole month until next time they got hacked and destroyed.?

I paste som spread parts of the logs at the end of the mail  hopeing that it
can help some of you that is not a newbie like me, to be better of in the
protection of their serveres.

Signoff

Kai R Sch...


LOGS:

R=9 RLame=12 ROpts=0 SSysQ=489 SAns=1958 SFwdQ=283 SDupQ=56 SErr=0 RQ=2129
RIQ=0 RFwdQ=283 RDupQ=2 RTCP=116 SFwdR=312 S
Fail=0 SFErr=0 SNaAns=751 SNXD=43 RUQ=0 RURQ=0 RUXFR=1 RUUpd=0
May  1 01:09:23 www named[722]: approved AXFR from [204.71.145.78].3961 for
"mercator.no"
May  1 01:09:23 www named[722]: zone transfer (AXFR) of "mercator.no" (IN)
to [204.71.145.78].3961
May  1 01:09:52 www named[722]: approved AXFR from [204.71.145.78].4043 for
"algen.no"
May  1 01:09:52 www named[722]: zone transfer (AXFR) of "algen.no" (IN) to
[204.71.145.78].4043
May  1 01:15:01 www proftpd[19690]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May  1 01:15:04 www telnetd[19694]: ttloop: read: Connection reset by peer
May  1 01:15:04 www inetd[688]: pid 19694: exit status 1
May  1 01:30:02 www proftpd[20295]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May  1 01:30:05 www telnetd[20299]: ttloop: read: Connection reset by peer
May  1 01:30:05 www inetd[688]: pid 20299: exit status 1
May  1 01:44:13 www named[722]: approved AXFR from [212.67.192.185].1457 for
"sgn.no"
May  1 01:44:13 www named[722]: zone transfer (AXFR) of "sgn.no" (IN) to
[212.67.192.185].1457
------------------------------------------- cut

May  1 01:09:23 www named[722]: approved AXFR from [204.71.145.78].3961 for
"mercator.no"
May  1 01:09:23 www named[722]: zone transfer (AXFR) of "mercator.no" (IN)
to [204.71.145.78].3961
May  1 01:09:52 www named[722]: approved AXFR from [204.71.145.78].4043 for
"algen.no"
May  1 01:09:52 www named[722]: zone transfer (AXFR) of "algen.no" (IN) to
[204.71.145.78].4043
May  1 01:15:01 www proftpd[19690]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May  1 01:15:04 www telnetd[19694]: ttloop: read: Connection reset by peer
May  1 01:15:04 www inetd[688]: pid 19694: exit status 1
----------------------------------------------cut

Apr 30 18:13:08 www named[721]: master zone "hodet.no" (IN) loaded (serial
2001041717)
Apr 30 18:13:08 www named[721]: master zone "nocturnal.no" (IN) loaded
(serial 2001040221)
Apr 30 18:13:08 www named[721]: master zone "manuellmedisin.no" (IN) loaded
(serial 2001031516)
Apr 30 18:13:08 www named[721]: master zone "ryggskole.no" (IN) loaded
(serial 2001031516)
Apr 30 18:13:08 www named[721]: master zone "astonnaviteam.no" (IN) loaded
(serial 2001030305)
Apr 30 18:13:08 www named[721]: master zone "vikedalselva.no" (IN) loaded
(serial 2001030502)
--------------------------------------------------cut

Apr 30 03:30:05 www inetd[24472]: pid 24400: exit status 1
Apr 30 03:45:02 www proftpd[24985]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
Apr 30 03:45:05 www telnetd[24989]: ttloop: read: Connection reset by peer
Apr 30 03:45:05 www inetd[24472]: pid 24989: exit status 1
Apr 30 03:46:30 www named[738]: Cleaned cache of 22 RRsets
Apr 30 03:46:30 www named[738]: USAGE 988595190 985674424
CPU=211.87u/139.74s CHILDCPU=1.34u/8.46s
Apr 30 03:46:30 www named[738]: NSTATS 988595190 985674424 A=35148 NS=185
SOA=76460 PTR=190994 MX=3849 TXT=85 AAAA=34 S
RV=43 AXFR=383 ANY=15235
Apr 30 03:46:30 www named[738]: XSTATS 988595190 985674424 RR=291768
RNXD=25358 RFwdR=153844 RDupR=257 RFail=667 RFErr=
0 RErr=144 RAXFR=383 RLame=13933 ROpts=0 SSysQ=104394 SAns=286419
SFwdQ=143518 SDupQ=43759 SErr=0 RQ=325442 RIQ=188 RFw
dQ=143518 RDupQ=2452 RTCP=8823 SFwdR=153844 SFail=41 SFErr=0 SNaAns=89368
SNXD=46475 RUQ=0 RURQ=0 RUXFR
-------------------- There where 100++ of simmilar records as the one below
in very short time period------------

Apr 26 04:17:58 www named[738]: Lame server on 'bgl1dns-a.dts.in' (in
'dts.in'?): [61.0.0.9].53 'ndl1nms-a.dts.in'

-------------------- cut

If sombody has intrest in the holse log give me and notice and i will send
it.